Kappa Ransomware

It is unlikely that you will discover Kappa Ransomware before it encrypts your files. This infection is very clandestine, and it encrypts files in a silent manner. Once it is done with all that, it immediately introduces itself to you to help you understand the situation. The infection uses a window and two TXT files to give you information regarding this situation. Of course, the objective behind this information is to convince you that you need to pay a ransom to get your files decrypted. Is that the case? Do you really need to put your money on the line? Our research team does not recommend paying the ransom or following any other demands because that is unlikely to benefit you. All in all, that is the decision you have to make for yourself, and, hopefully, the information presented in this report will help you make the right steps. Obviously, regardless of what you do, removing Kappa Ransomware is mandatory, and the instructions we have added to this guide should assist you.

At the time of research, Kappa Ransomware was still in development, but it could be a matter of time before this infection is released; if it has not happened already. After analyzing this infection, it has become clear that it is capable of encrypting files, which, of course, is the main goal behind this malware. It was discovered that the ransomware should use an AES cipher to encrypt files, and an RSA cipher should be used for the encryption of the AES key. Speaking of encryption, Kappa Ransomware should target over 130 different types of files, including .rar, .avi, .doc, .gif, and .jpeg. The infection should only encrypt files in the %USERPROFILE% directory and its subfolders, and it should also add the “.OXR” extension to all of their names. After the encryption, the threat should send the encryption key and a unique Client ID (we discuss this further in the report) to http://185.106.120.162/key/key.php?hwid=, but that, of course, is something that could change. Also, two files named “1 What happens with my files.txt” and “1 How to buy Bitcoin.txt” are created to introduce you to the ransom demands.

Besides encrypting files, Kappa Ransomware also can record certain information about your system. Our research has revealed that the threat can record data regarding your Processor model, Hard Drives, RAM amount, CPU model, Motherboard model, victims default gateway, language, BIOS manufacturer and model, OS information, Computer name, Account name, and MAC Address. The Processor ID, Hard Drive serial number, and MAC Address are what is used to create the unique Client ID. It is represented via the main infection’s window that also informs about the encryption of files. The same information is represented via the file called “1 What happens with my files.txt”. The second file – “1 How to buy Bitcoin.txt” – gives a more detailed guide showing the victim how to create a Bitcoin account, purchase a set amount of Bitcoins, and then send them to the specified Bitcoin address. After that, an email confirming the transaction of the ransom should be sent. At this point, the email address and other details are not specified because the malicious Kappa Ransomware is still being tested. If any more details are discovered, this report will be updated. For now, we need to discuss the removal of this threat.

According to our research, Kappa Ransomware does not create copies of itself, which should make the removal of this malware a little easier. Of course, if you cannot identify the .exe file responsible for executing this threat, deleting Kappa Ransomware manually might be impossible for you. There is no need for panic because legitimate anti-malware software can help everyone. Install it now and have the malicious infection deleted immediately. We strongly recommend using this tool – even if you are equipped to erase the threat manually – because, first of all, it can erase any other malicious threats if they exist, and, second, it can reestablish full-time protection. What about your personal files? They will not be restored by removing the ransomware, but the truth is that you might be unable to restore them at all. You are unlikely to recover them by paying the ransom, and free file decryptors are usually helpless too. In the best case scenario, your personal files are backed up, and you have not lost them. If you were not this cautious before the ransomware hit, start backing up files to keep them safe in the future.

Kappa Ransomware Removal

Close the main window of the ransomware.

Identify the {unknown name}.exe file that belongs to the ransomware.

Right-click and Delete the malicious file.

Delete the file named 1 What happens with my files.txt (might have copies).